Shibboleth CRU account

Hi,

We're trying to setup Shibboleth Authentication with Nuxeo 6.0 and Renater as wayf. Our ldap's users are identified with their UID but we would like to allow abroad connexion with the way of the CRU (compte réseau universel). But CRU account use email adress as key. How could we configure shibboleth add-on to allow on one part authentication with UID (LDAP) and on the other part authentication with email (CRU accounts) ?

Thanks in advance

0 votes

2 answers

560 views

ANSWER



Hi pibou Bouvret,

Thank you for your answer, i really appreciate !

Indeed, i've already tried many configurations but the only one that perform correctly is “default”

I've read here that i need to patch ShibbolethAuthenticationPlugin.java to obtain what i expected. (+ fieldMap.put(“username”, userId);)

In V6, code extract is: ` public UserIdentificationInfo handleRetrieveIdentity(

        HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
    if (getService() == null) {
        return null;
    }

    String userId = getService().getUserID(httpRequest);
    if (userId == null || "".equals(userId)) {
        return null;
    }
    Session userDir = null;
    try {
        UserManager userManager = Framework.getService(UserManager.class);
        userDir = Framework.getService(DirectoryService.class).open(
                userManager.getUserDirectoryName());
        Map<String, Object> fieldMap = getService().getUserMetadata(
                userManager.getUserIdField(), httpRequest);
        DocumentModel entry = userDir.getEntry(userId);
        if (entry == null) {
            // patch RB :
            fieldMap.put("username", userId);
            // fin patch RB
            userDir.createEntry(fieldMap);
        } else {
            entry.getDataModel(userManager.getUserSchemaName()).setMap(
                    fieldMap);
            userDir.updateEntry(entry);
        }
    } catch (Exception e) {
        log.error("Failed to get or create user entry", e);
    } finally {
        if (userDir != null) {
            try {
                userDir.close();
            } catch (DirectoryException e) {
                log.error("Error while closing directory session", e);
            }
        }
    }

    return new UserIdentificationInfo(userId, userId);

`

In 8.2 version, ShibbolethAuthenticationPlugin.java is quite different. Sadly i can't understand how it operate.

Even though i can't manage multiple keys in v 6.0, if i choose , my CRU user log in Nuxeo with his account (an account was created before for him, since we're in multi directory mode), but this user can't retrieve folders where he have rights.

If you can give me some advices …

0 votes



Don't you have the EPPN transmitted by the CRU IDP ? It should according to https://services.renater.fr/federation/participants/sac/faq
05/10/2017

Bonjour Pibou,

In the logs file shibd.log i can find at 17h05 (log in from my CRU user)

2017-05-10 17:05:51 DEBUG Shibboleth.AttributeExtractor.XML [16]: skipping unmapped NameID with format (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) 2017-05-10 17:05:51 DEBUG Shibboleth.AttributeDecoder.String [16]: decoding SimpleAttribute (mail) from SAML 2 Attribute (urn:oid:0.9.2342.19200300.100.1.3) with 1 value(s) 2017-05-10 17:05:51 DEBUG Shibboleth.AttributeDecoder.String [16]: decoding SimpleAttribute (sn) from SAML 2 Attribute (urn:oid:2.5.4.4) with 1 value(s) 2017-05-10 17:05:51 DEBUG Shibboleth.AttributeDecoder.String [16]: decoding SimpleAttribute (givenName) from SAML 2 Attribute (urn:oid:2.5.4.42) with 1 value(s) 2017-05-10 17:05:51 DEBUG Shibboleth.AttributeDecoder.String [16]: decoding SimpleAttribute (preferredLanguage) from SAML 2 Attribute (urn:oid:2.16.840.1.113730.3.1.39) with 1 value(s) 2017-05-10 17:05:51 DEBUG Shibboleth.AttributeDecoder.NameID [16]: decoding NameIDAttribute (persistent-id) from SAML 2 Attribute (urn:oid:1.3.6.1.4.1.5923.1.1.1.10) with 1 value(s) 2017-05-10 17:05:51 DEBUG Shibboleth.AttributeDecoder.NameID [16]: decoding saml2:NameID child element of AttributeValue 2017-05-10 17:05:51 DEBUG Shibboleth.AttributeFilter [16]: filtering 5 attribute(s) from (urn:mace:cru.fr:federation:sac) 2017-05-10 17:05:51 DEBUG Shibboleth.AttributeFilter [16]: applying filtering rule(s) for attribute (mail) from (urn:mace:cru.fr:federation:sac) 2017-05-10 17:05:51 DEBUG Shibboleth.AttributeFilter [16]: applying filtering rule(s) for attribute (sn) from (urn:mace:cru.fr:federation:sac) 2017-05-10 17:05:51 DEBUG Shibboleth.AttributeFilter [16]: applying filtering rule(s) for attribute (givenName) from (urn:mace:cru.fr:federation:sac) 2017-05-10 17:05:51 DEBUG Shibboleth.AttributeFilter [16]: applying filtering rule(s) for attribute (preferredLanguage) from (urn:mace:cru.fr:federation:sac) 2017-05-10 17:05:51 DEBUG Shibboleth.AttributeFilter [16]: applying filtering rule(s) for attribute (persistent-id) from (urn:mace:cru.fr:federation:sac)

So, it seems EPPN isn't transmitted. What can I do to remedy it ?

Thx in advance,

05/10/2017

According to the Renater docs, the EPPN is provided if it is required by your SP : your SP declaration has to be modified. NB : maybe persistent-id could be used (cf : https://services.renater.fr/federation/technique/attributs)
05/10/2017

Hi Pibou, merci,

I've tried different settings today according attributs renater's documentation. Henceforth, i am able to create CRU users ! 1) creation of cru user on https://cru.renater.fr/sac/ 2) creation of the same user on Nuxeo, with option "invite and create" 3) log in on Nuxeo of the cru user, from email invitation. Nuxeo is asking for a password. 4) After a logout problem, this user is able to connect himself to Nuxeo (Definition currentUser.user.email.endsWith("@gmx.fr" works !)

It remains a big problem:

To log in Nuxeo as administrator, i have to set <default>uid</default>. To log in Nuxeo as CRU user, i have to set <default>mail</default> in shibboleth-login-config.xml

<uidHeader idpUrl="https://cru.renater.fr/idp">mail</uidHeader> does not work.

Maybe i'have to modify java code following Raymond Bourges instructions…

Thanks,

05/11/2017


You can have a look at the sample configuration of ShibbolethAuthenticationService

http://explorer.nuxeo.com/nuxeo/site/distribution/Nuxeo%20DM-8.2/viewExtensionPoint/org.nuxeo.ecm.platform.shibboleth.service.ShibbolethAuthenticationService--config

You can define a uid mapping from shib attributes varying according to the idp of the user.

A configuration could be to map the uid for your idp and a default one using eppn or email.

0 votes